How to export a DNSSEC trust anchor in Windows Server 2012

How to export a DNSSEC trust anchor in Windows Server 2012

As discussed in Information on DNSSEC Trust Anchors, at least one trust anchor is necessary for a server to perform DNSSEC validation of responses for a zone. If a zone has an intact chain of trust from the root zone, the root trust anchor is sufficient for a server to validate responses for that zone, but if the zone's chain of trust from the root is broken, a validating server must possess a trust anchor for the zone or a parent zone with a secure delegation to the zone in question.

You may find it necessary to copy a trust anchor from one DNS server in your organization to another in order for the latter server to validate responses for a signed zone hosted by the former. When a zone is signed in Windows Server 2012 or 2012 R2, the trust anchor for that zone is stored in a text file on the zone's designated Key Master. The trust anchor cannot be exported via the DNS Manager console, but it can be copied via Windows Explorer or exported via a PowerShell cmdlet.

To copy a trust anchor via Windows Explorer, perform the following steps:

Open Windows Explorer on the Key Master and navigate to the C:\Windows\system32\dns folder.

To copy the DNSKEY trust anchor, locate the keyset-<zone> file, where <zone> is the name of the zone.
To copy a DS trust anchor, locate the dsset-<zone> file, where <zone> is the name of the zone.

Copy the appropriate file to a location where it can be accessed by other servers.

To export a trust anchor via Windows PowerShell, perform the following steps:

Open an elevated PowerShell prompt on the DNS server hosting the signed zone.

<host_server>: The FQDN of the DNS server hosting the zone<zone>: The name of the zone<path>: The UNC path of a shared folder accessible to the host server where the exported trust anchor will be placed

<host_server>: The FQDN of the DNS server hosting the zone<zone>: The name of the zone<path>: The UNC path of a shared folder accessible to the host server where the exported trust anchor will be placed<algorithm>: The hashing algorithm used to generate the hash of the zone's public key for the DS record. Acceptable values are sha1, sha256, and sha384.

Neither PowerShell cmdlet gives any feedback. The appropriate keyset-<zone> or dsset-<zone> file will be exported to the specified path.

Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.